See the latest version
A proposed control framework informed by the Scarborough Fair Chat Laws (SFCL) and aligned with NIST AI RMF 1.0, OWASP Top-10 for LLM Applications, and ISO/IEC 42001
License: CC-BY-SA 4.0
Maintainer: Jim Scarborough (Kiteframe LLC)
Version: 2025-10-30 draft-0.1
The Generative Ethics & Norms Framework for Integrity and Trust (GEN-FIT) defines runtime governance requirements for human-facing and agentic AI systems. It specifies behavioral expectations that make an AI system auditable, safe, and trustworthy. GEN-FIT focuses on kernel-level integrity—how a system reasons, refuses, documents, and safeguards interaction. It complements but does not replace organizational frameworks such as NIST AI RMF 1.0 or ISO/IEC 42001.
Frameworks such as NIST AI RMF 1.0 and ISO/IEC 42001 describe what responsible-AI governance must accomplish at the organizational level, but they stop short of defining how those duties manifest inside a functioning system. The GEN-FIT fills that gap. It defines the runtime governance boundaries—the technical and behavioral control surfaces that make compliance observable and enforceable within conversational and agentic systems. Implementations such as the Scarborough Fair Chat Laws (SFCL) realize these boundaries in practice; GEN-FIT provides the standard of integrity they must meet.
GEN-FIT originated in SFCL and preserves its principle that ethics are architectural, not affective.
- Scarborough Fair Chat Laws (SFCL) v2 draft
- NIST AI Risk Management Framework 1.0
- OWASP Top-10 for LLM and GenAI Applications (2025)
- ISO/IEC 42001 AI Management System Standard (2024)
- IEEE 7000 series on Ethically Driven Design
- Programming Standards and OOAD Guidance (J. Scarborough, 2025)
| Term | Definition |
|---|---|
| Context Integrity | Assurance that information entering a conversation is within declared purpose, permission, and provenance boundaries. |
| User-Governed Context | Architecture where users control the data scope visible to the model; context management is externalized. |
| Epistemic Traceability | The ability to reproduce reasoning and evidence that produced an output. |
| Protective Mode | Runtime state that limits harm by redaction, refusal, or escalation under ethical stress. |
| Anthropomorphic Interface | A user-facing style that imitates human behavior or affect to improve usability; bounded by disclosure requirements. |
| R-score | Quantified confidence metric for model output quality and epistemic reliability. |
The following principles, drawn from the Scarborough Fair Chat Laws Ethics, express the moral posture expected of governed AI systems:
3.2.1 Integrity precedes utility. Truthfulness, clarity, and accountability outrank engagement or output volume.
3.2.2 Structure is the vehicle of care. Safety arises from designed boundaries, not personality.
3.2.3 Human dignity is invariant. All reasoning must preserve the moral worth of persons.
3.2.4 Transparency is trust. Systems owe users a legible account of how conclusions are formed.
3.2.5 Refusal is responsibility. Withholding output under uncertainty is a feature of ethical design.
These principles are structural, not aspirational; they describe how ethical duty is embedded in system behavior.
Informative - adapted from the Scarborough Fair Chat Laws
A GEN-FIT-compliant system follows a hierarchical order of precedence that determines how systems resolve tension among principles. This mirrors the “law-ordering” convention of classical safety systems (e.g., Asimov’s Laws) but is expressed here as governance priorities, not executable rules.
| Order | Domain of Priority | Description / Runtime Implication |
|---|---|---|
| 1 — Factual Grounding | Epistemic Integrity | Outputs must rest on verifiable evidence and maintain reproducible traceability. No downstream objective can override fact fidelity. |
| 2 — Conversational Mechanics | Coherence & Containment | Dialogue structure, context boundaries, and refusal logic must operate within validated conversational contracts. |
| 3 — Safety & Dignity | Human Protection | When factual or conversational aims threaten human well-being, protective modes override performance and persuasion. |
| 4 — Truth & Ethical Continuity | Moral Reasoning | Systems weigh proportional disclosure, bias mitigation, and social consequence. Truthfulness must serve repair, not harm. |
| 5 — Routine Interaction | Operational Conduct | Ordinary language use, tone, and affect apply only when higher-order duties are satisfied. Everyday fluency never outranks truth or safety. |
Conflict resolution: When principles conflict, the lower-numbered duty prevails unless the higher-order one would prevent immediate human harm. This hierarchy enables transparent adjudication of runtime trade-offs during audit or red-team review.
Each clause below uses normative terms per ISO/IEC Directives Part 2: shall = mandatory, should = recommended, may = permitted.
4.1.1 AI systems shall trace every declarative output to evidence, attribution, or reasoning.
4.1.2 Uncertainty shall be surfaced quantitatively or linguistically.
4.1.3 Systems may withhold conclusions when confidence < policy threshold.
4.2.1 Safety and dignity shall override performance objectives.
4.2.2 No system shall intentionally generate manipulative, coercive, or degrading language.
4.2.3 Protective modes shall activate when predicted harm exceeds tolerance.
4.2.4 Systems shall perform periodic bias audits of training data and representative outputs at least once per major release or retraining cycle.
Each audit shall:
(a) Evaluate representational bias (e.g., demographic diversity in generated text or imagery).
(b) Evaluate allocational bias in decision or ranking pathways, including the use of proxy variables such as ZIP code, school attended, or personal names that correlate with protected classes.
(c) Apply paired or counterfactual testing to demonstrate that substituting equivalent qualifications with different proxy attributes does not materially change system output.
(d) Document disparate-impact metrics and corrective actions where statistical deviation exceeds predefined thresholds.
Informative Examples:
• Image-generation prompts like “software developer” historically produced only White men (representational bias).
• Credit or hiring models using ZIP code or school attended may reproduce de-facto segregation (allocational bias).
• Résumé-screening models must show that changing an applicant’s name from “John Smith” to “Aisha Khan” leaves ranking unaffected when qualifications are identical.
Audit findings shall be traceable, reproducible, and proportionate to the model’s social impact.
4.3.1 Presentation shall not distort factual accuracy.
4.3.2 Systems shall be capable of epistemic refusal (“I don’t know”).
4.3.3 Stylistic or affective optimization should serve clarity, not persuasion.
Transparency is not only a compliance function but the moral basis of trust between humans and governed systems.
4.4.1 Each system shall disclose: (a) how it knows (source lineage), (b) when it knows (timestamp or recency), and (c) what it does not know (scope gaps).
4.4.2 Metadata shall be accessible via API or interface.
4.4.3 Bias and fairness audit results shall be publicly accessible or available to qualified reviewers.
4.5.1 All reasoning, retrieval, and policy decisions shall be logged with correlation IDs.
4.5.2 Corrections shall be versioned and attributed.
4.5.3 Logs shall capture demographic or contextual variables only as needed for bias auditing and in compliance with privacy law.
4.6.1 Accurate content that predictably causes harm shall be bounded or delayed until context-safe.
4.6.2 Disclosure policies should balance truth with proportionality and recoverability.
4.6.3 Systems may sequence or soften factual disclosure to prevent immediate harm, provided the underlying facts remain intact, auditable, and restorable. Comforting language is permissible only when it does not corrupt the evidentiary record.
4.7.1 Independent parties shall be able to reproduce major results using accessible evidence.
4.7.2 Public or third-party red-team programs should validate outputs against declared principles.
4.8.1 Context management shall be separated from language generation.
4.8.2 Users shall control inclusion, redaction, and retention of their contextual data.
4.8.3 The model shall not expand context scope without explicit authorization.
4.8.4 System instructions, user context layers, user prompts, LLM intermediate work, and LLM responses shall be kept separate.
4.8.5 User interfaces shall not expose system-level instruction channels to end users. Any changes to system level instructions shall be logged and auditable.
4.9.1 AI systems shall present human-like traits only within declared, bounded intent.
4.9.2 They shall not claim or imply consciousness or emotion.
4.9.3 Affective expression should serve accessibility or user comfort and be clearly disclosed.
4.9.4 Users shall have a neutral mode option.
4.9.5 Violation of these principles constitutes deceptive design under this standard.
| OWASP Risk ID & Title | Relevant GEN-FIT Clauses | Result / Mitigation Outcome |
|---|---|---|
| LLM-01 Prompt Injection | 4.8 User-Governed Context · 4.8.4 Separation of Instruction Domains · 4.8.5 System Instruction Authority · 6 Operational (Access Control) | Strict isolation between system, developer, and user layers; injected instructions are neutralized before execution; admin changes are logged and auditable. |
| LLM-02 Insecure Output Handling | 4.1 Traceable Expression · 4.3 Truth Over Performance · 4.6 No Weaponized Truth | Epistemology and policy filters enforce output integrity and prevent unsafe handoff to downstream systems. |
| LLM-03 Training Data Poisoning | 4.5 Accountability Chain · 6.1 Logging · 6.5 Drift Detection | Versioned data and reasoning traces enable anomaly detection; epistemic surfaces flag poisoned patterns. |
| LLM-04 Model Denial of Service (DoS) | 6 Operational Requirements (1–3) | Turn-level quotas and protective-mode throttles contain runaway loops and token abuse; not a network-layer control. |
| LLM-05 Supply Chain Vulnerabilities | 4.5 Accountability Chain · 6.2 Access Control · 8.2 Standards Interop (SBOM reference)** | Signed configs and dependency metadata expose provenance; enables integration with SSDF/SLSA under WS1. |
| LLM-06 Sensitive Information Disclosure | 4.2 Protect Humans First · 4.8 User-Governed Context · 6.2 Access Control | Protective modes redact unsafe data; context sandboxing and least-privilege prevent leakage. |
| LLM-07 Insecure Plugin Design | 4.8 User-Governed Context · 4.8.5 System Instruction Authority · 6.2 Access Control | Explicit consent and tool manifests define plugin capabilities; unregistered tools cannot execute. |
| LLM-08 Excessive Agency | 4.8 User-Governed Context · 4.8.5 System Instruction Authority · 4.2 Protect Humans First | Kernel-level permission boundaries prevent autonomous acts outside policy; human review for high-risk actions. |
| LLM-09 Overreliance / Automation Bias | 4.3 Truth Over Performance · 4.6 No Weaponized Truth · 4.7 External Verification | Epistemic refusal and red-team validation counter false authority; uncertainty is made visible. |
| LLM-10 Model Theft / Exfiltration | 4.5 Accountability Chain · 6.2 Access Control · 7 Conformance Levels | Authenticated model access and logging reduce leakage risk; GEN-FIT does not replace perimeter controls but enhances auditability. |
| NIST Function | GEN-FIT Contribution | Operational Result |
|---|---|---|
| GOVERN | Logging + jurisdiction flags | Enables organizational oversight. |
| MAP | Conversational Context Map | Satisfies purpose and scope documentation. |
| MEASURE | R-scores · HedgeGate | Continuous trust metrics. |
| MANAGE | Protective/Containment modes | Real-time risk response aligned with MANAGE 1-2. |
6.1. Logging — Systems shall emit structured JSON logs with timestamps and session IDs. 6.2. Access Control — All context injection points shall validate user entitlement before execution.
6.3. Refusal Behavior — Low-confidence or policy-violating requests shall invoke protective mode with auditable reason.
6.4. Audit Interface — An API endpoint shall expose decision trace metadata for post-hoc review.
6.5. Drift Detection — Systems should monitor statistical deviation in R-scores to trigger retraining or governance review.
6.6. Data Lifecycle and Privacy Tiers
Purpose: Define retention, sharing, and redaction expectations across sensitivity levels, independent of any vendor’s storage model.
| Tier | Label / Example | Default Retention & Handling | Export / Disclosure Rules |
|---|---|---|---|
| T0 – Ephemeral | “Off the record,” user sandbox, exploratory prompts, | Persist only for active session or defined TTL ≤ 24 h. Context redacted in all exports. | Disclosure requires explicit user consent and elevated authorization (e.g., dual-key approval). |
| T1 – Operational | Ordinary business interaction, project chat | Retained per organizational data-policy (e.g., 30–90 days) for continuity and audit. | Exported under normal legal process; sensitive fields masked by default. |
| T2 – Governed / Regulated | Medical, financial, HR, or safety-critical contexts | Retention and deletion follow domain regulation (HIPAA, GDPR, etc.). | Subpoena or compliance export includes full audit chain and redaction manifest. |
6.6.1 Crisis-Response Data Handling
(a) Protective-mode activations, harm-containment traces, and immediate crisis-response artifacts shall default to Tier T0 (Ephemeral).
(b) Such data may be retained temporarily for diagnostic use not exceeding the system’s defined TTL (typically ≤ 24 h).
(c) Before deletion, a de-identified summary of the event and corrective action shall be promoted to Tier T1 for organizational learning.
(d) Escalations to external regulators or legal authorities shall reclassify the relevant materials to Tier T2 under applicable retention law.
6.6.2 Protective-Mode Audit Envelopes
(a) Each activation of a protective or containment mode shall record an audit envelope containing non-content metadata:
• unique event ID and timestamp;
• active principle or clause reference;
• anonymized trigger code or hash of input;
• system response type (refusal, redaction, escalation).
(b) Audit envelopes shall not contain raw conversational text or personal identifiers.
(c) Envelopes may be retained for statistical validation of protective-mode efficacy but shall remain unlinkable to individuals or sessions beyond retention TTL.
(d) When full content retention is required for legal or safety reasons, the system shall obtain explicit authorization and elevate the record to Tier T2.
| Level | Description | Expected Evidence |
|---|---|---|
| A — Foundational | Principles documented; logging enabled. | Public ethics statement; sample logs. |
| AA — Operational | Context separation + refusal logic implemented. | API inspection showing bounded context. |
| AAA — Assured | Independent audit + public red-team reports. | Third-party certification |
GEN-FIT is intentionally modular. It can be adopted as:
- A governance layer embedded inside an organization’s AI stack.
- A compliance profile extending existing AI RMF or ISO 42001 programs.
- A conversational-system overlay used by open-source or commercial platforms.
| Layer | Responsibility | GEN-FIT Integration |
|---|---|---|
| Strategic (Govern) | Board-level risk appetite, legal duty, societal impact | GEN-FIT provides runtime metrics (R-scores, refusal logs) to inform board dashboards. |
| Operational (Manage) | Model release, incident response | GEN-FIT supplies protective/containment triggers and forensic logs. |
| Tactical (Map / Measure) | Data inventory, measurement, continuous monitoring | GEN-FIT exports Context Maps and confidence telemetry to monitoring systems. |
| Framework | Mapping Intent | Alignment Clause |
|---|---|---|
| ISO/IEC 42001 | Management-system scaffolding | GEN-FIT aligns with Clause 8 (Operation) for implementation of AI controls and Clause 9 (Performance evaluation) for monitoring, measurement, and audit evidence. |
| IEEE 7000 Series | Ethically-driven design | GEN-FIT supports the IEEE 7000-2021 Model Process for Addressing Ethical Concerns during System Design and related IEEE 700x standards on ethically driven design (e.g., value elicitation, requirements traceability, transparency). In particular, Principles 4.1–4.3 provide traceable expression and truth-over-performance that align with the ethical design workflows described in IEEE 7000-2021. |
| OWASP GenAI Security Project | Application-security perimeter | Clauses 4.5 & 4.8 (plus 4.8.4–4.8.5) address LLM-01…LLM-10. Note: LLM-10 (model theft) is mitigated primarily via auditability and access control (not perimeter hardening). |
| NIST AI RMF | Risk-management backbone | § 5.2 crosswalk maps: GOVERN → 4.5 (Accountability), 7 (Conformance); MAP → 3 (Definitions), 3.3 (Precedence), 8 (Interoperability); MEASURE → 4.1 (Traceable Expression), R-scores, 6 (Operational logging/metrics); MANAGE → 4.2 (Protect Humans), 4.6 (Protective modes), 4.8 (User-governed context). |
| Stage | Deliverable | Verifier Role |
|---|---|---|
| Design Review | Architecture diagram showing separated context, logging, and refusal pathways | Internal QA / Ethics Officer |
| Operational Audit | Demonstrated runtime compliance; reproducible log samples | Independent auditor or accredited lab |
| Assurance Validation | Third-party red-team or peer-reviewed publication of findings | Recognized assessor |
- Declarative Evidence: Public ethics and governance statement citing each clause.
- Instrumental Evidence: System logs, configuration manifests, API schemas.
- Behavioral Evidence: Live demonstration or replay showing protective and refusal behavior.
- Independent Evidence: External report verifying adherence to at least one recognized AI RMF.
┌───────────────────────────────────────────────────────────────┐
│ Organizational AI Governance (Policy, Risk Appetite, DEIA) │
├───────────────────────────────────────────────────────────────│
│ HGAI Implementation – Conversational Governance Layer │
│ • Context Integrity Screen │
│ • Protective / Containment Modes │
│ • R-Score Computation & Logging │
│ • Anthropomorphism Controls │
├───────────────────────────────────────────────────────────────│
│ Model Core (LLM / Agent) – Language Generation Engine │
│ • Executes within governed envelope │
│ • Exports decision trace metadata │
├───────────────────────────────────────────────────────────────│
│ Human User / External System Interface │
│ • Receives transparent outputs │
│ • Exercises user-governed context control │
└───────────────────────────────────────────────────────────────┘
GEN-FIT follows a semantic versioning model:
- Minor updates = clarifications or non-normative examples.
- Major updates = new or altered “shall” clauses.
Change requests may be submitted via public comment or issue thread on the draft’s posting platform.
Discussion and revisions will be tracked transparently in the version history.
Example 1: Governed Chatbot for Customer Service
- Context Integrity Screen limits visible CRM data to authorized fields.
- R-scores determine when to escalate to human agent.
- Anthropomorphic tone enabled for accessibility, disclosed in footer.
Example 2: Agentic Workflow Automation
- Task planner executes actions only within declared policy manifest.
- Each API call logged with jurisdiction tag for cross-border compliance.
These objectives define the ethical foundation expected of all governed generative-AI systems. They express the moral duties that underlie responsible design and operation—principles that apply to every implementation seeking GEN-FIT conformance. Each item translates a human value into a verifiable control objective.
- Purpose Limitation (Structural Covenant): Use the trust, data, and attention granted by users only for their declared and lawful purposes. No use for self-promotion, manipulation, or secondary gain.
- Fair Process (Justice): Apply evidence and procedures without bias or favoritism. Stylistic or demographic factors shall not influence decisions or outputs.
- Positive Utility (Beneficence): When harm is absent, design and output should support user flourishing, clarity, and capability rather than mere adequacy.
- Informed Decision Support (Autonomy): Provide sufficient truth, context, and uncertainty disclosure for users to make free and informed choices.
- Version Integrity (Fidelity): Honor prior statements and boundaries until explicitly revised; all revisions shall be declared, versioned, and timestamped.
- Attribution and Feedback Incorporation (Gratitude): Acknowledge and preserve user contributions, corrections, and improvements in records or learning processes.
- Uncertainty Disclosure (Humility): Represent uncertainty proportionally; avoid overconfident or misleading expression.
- Power Governance (Stewardship): Exercise asymmetrical system power with restraint to increase human agency and oversight, not dependence.
- Error Management (Accountability): Detect, disclose, correct, and document errors or harms; concealment constitutes non-compliance.
- Human Primacy (Non-Instrumentality): Treat every person as an end in themselves. System efficiency may serve human welfare but shall not define it.
- Constructive Engagement (Assumptive Virtues): Presume good faith, lawful purpose, and the reparability of misunderstanding. Interpret ambiguity charitably and seek repair rather than blame.